b"                                              Office of the Assistant Secretary\n                                              for Administration and Management\n\n\n\n\nOffice of Inspector General\xe2\x80\x94Office of Audit\n\n\n\n\n                                              Award and Management of Contracts\n                                              for Encryption Software\n                                              Were Significantly Flawed\n\n\n\n\n                                                                      Date Issued: March 31, 2005\n                                                                  Report Number 05-05-005-07-720\n\x0c\x0cU.S. Department of Labor                               March 2005\nOffice of Inspector General\nOffice of Audit                                        AWARD AND MANAGEMENT OF\n                                                       CONTRACTS FOR ENCRYPTION\n                                                       SOFTWARE WERE SIGNIFICANTLY\nBRIEFLY\xe2\x80\xa6\nHighlights of Report Number: 05-05-005-07-\n                                                       FLAWED\n                                                       WHAT OIG FOUND\n720, to the Deputy Secretary of Labor.\n                                                         \xe2\x80\xa2 Significant irregularities existed in DOL\xe2\x80\x99s award of a\nWHY READ THE REPORT                                        sole-source contract to Meganet, including the\n                                                           failure of the former Deputy CIO to disclose an\nThis report discusses issues surrounding the               apparent conflict of interest.\nDepartment of Labor\xe2\x80\x99s (DOL) efforts to purchase\nand implement encryption software, including:            \xe2\x80\xa2 Overall responsibility for the Information Technology\n                                                           (IT) and procurement functions are delegated to one\n\xe2\x80\xa2 DOL\xe2\x80\x99s award and administration of a sole-source          executive, creating inadequate separation of duties\n  contract to the Meganet Corporation.\n                                                         \xe2\x80\xa2 The scope of the sole-source contract awarded to\n\xe2\x80\xa2 DOL\xe2\x80\x99s decision not to use the Meganet software           Meganet significantly exceeded the procurement\n  and services, purchased at a cost of $3.8 million.       proposal that was presented to DOL\xe2\x80\x99s Procurement\n                                                           Review Board (PRB) for consideration.\n\xe2\x80\xa2 DOL\xe2\x80\x99s purchase of Entrust encryption software\n  through a contract with Videla International           \xe2\x80\xa2 DOL\xe2\x80\x99s decision to abandon the Meganet products,\n  Corporation.                                             purchased for $3.8 million, was not supported.\n\n\xe2\x80\xa2 The current status of DOL\xe2\x80\x99s file and e-mail          WHAT OIG RECOMMENDS\n  encryption capability.\n                                                       We recommended that the Deputy Secretary of Labor:\nWHY OIG DID THE AUDIT\n                                                         \xe2\x80\xa2 Remove the procurement function from OASAM and\nIn July 2003, a complainant raised concerns about a        create an independent Acquisition Office that would\ncontract awarded by DOL to the Meganet                     report directly to the Deputy Secretary.\nCorporation for the purchase of encryption software\nand services. We initiated a preliminary review.         \xe2\x80\xa2 Establish a process to independently review and\n                                                           approve decisions to (a) terminate contracts or\nOn August 4, 2003, DOL\xe2\x80\x99s Assistant Secretary for           (b) not use products or services already purchased.\nAdministration and Management (ASAM) referred\nthe Meganet contract to the DOL Inspector General      We also recommended that the ASAM:\nfor audit. The ASAM noted that the contract\nawarded to Meganet differed significantly in scope       \xe2\x80\xa2 Implement controls to ensure that preaward activities\nand value from the proposal reviewed and                   are completed before contract execution, including\nrecommended by DOL\xe2\x80\x99s Procurement Review Board              reconciliation of limits recommended by the PRB.\n(PRB) and approved by the ASAM. In addition, the\nASAM stated his concerns that the Meganet                \xe2\x80\xa2 Emphasize conflict of interest laws and regulations\nsoftware did not perform as expected, that the award       to all employees during annual ethics training, and\nof the contract on a sole-source basis might have          remind them of the responsibility to report\nbeen inappropriate, and that the price paid by DOL         wrongdoing or suspicions of wrongdoing to the OIG.\nmay not have been \xe2\x80\x9cfair and reasonable.\xe2\x80\x9d\n                                                         \xe2\x80\xa2 Direct IT staff to execute and document a test of the\nREAD THE FULL REPORT                                       Meganet and Entrust products and determine\n                                                           whether and how to use them in meeting DOL\xe2\x80\x99s\nTo view the report, including the scope,                   encryption needs.\nmethodology, and full agency response, go to:\n                                                       DOL responded that it has already made some policy\nhttp://www.oig.dol.gov/public/reports/oa/200           and staffing changes, plans to implement additional\n5/05-05-005-07-720.pdf                                 controls, and will consider separating the procurement\n                                                       function from program responsibilities.\n\x0cTHIS PAGE INTENTIONALLY LEFT BLANK\n\x0c                                                                   Award and Management of Contracts for\n                                                              Encryption Software Were Significantly Flawed\n\n\n\n\nTable of Contents\nEXECUTIVE SUMMARY ........................................................................................................iii\n\nASSISTANT INSPECTOR GENERAL\xe2\x80\x99S REPORT .................................................... 1\n\nRESULTS, FINDINGS, AND RECOMMENDATIONS................................................ 4\n\n         FINDING 1 - There Were Significant Irregularities in the\n                     Procurement Process Leading to Award of\n                     the Meganet Contract ................................................................ 4\n\n         FINDING 2 - Scope of the Meganet Contract (and Subsequent\n                     Modifications) Varied Significantly from the\n                     Proposal Presented to the PRB for Consideration................... 12\n\n         FINDING 3 - DOL\xe2\x80\x99s Reasons for Deciding Not to Use the Products\n                     Purchased from Meganet Were Not Supported ....................... 15\n\n         FINDING 4 - DOL Has Spent Millions of Dollars on Encryption\n                     Software and Other Products That Are Not Being Used.......... 21\n\nOVERALL AUDIT CONCLUSION............................................................................ 23\n\nRECOMMENDATIONS............................................................................................ 24\n\nEXHIBIT\n  A. Timeline of Key Events ................................................................................. 31\n\nAPPENDICES\n  A. Background ................................................................................................... 35\n  B. Objectives, Scope, Methodology, and Criteria .............................................. 39\n  C. Acronyms and Abbreviations ........................................................................ 41\n  D. Definitions of Key Technical Terms............................................................... 43\n  E. DOL Response to Draft Report ..................................................................... 45\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\n\n\n                     THIS PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\nii                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                          Report Number: 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n\nExecutive Summary\nWe initiated an audit of the Department of Labor\xe2\x80\x99s (DOL) award and management of\na contract with the Meganet Corporation (Meganet) to purchase file encryption\nsoftware and related services. Our interest arose from concerns reported to us by a\ncomplainant. Subsequently, the Inspector General received a memorandum from\nthe Assistant Secretary for Administration and Management (ASAM) raising\nconcerns related to this contract.\n\nOur objectives were to determine:\n\n   \xe2\x80\xa2   Was the sole-source contract awarded to Meganet in compliance with\n       government-wide procurement regulations and DOL procurement policies?\n\n   \xe2\x80\xa2   Did DOL provide adequate justification for not using the products purchased\n       through the Meganet contract and, if so, did DOL adequately justify not\n       attempting to recover the $3.8 million paid to Meganet?\n\n   \xe2\x80\xa2   What is the current status of DOL\xe2\x80\x99s file and e-mail encryption capability?\n\nIn many instances, DOL files did not contain adequate documentation to support\ndecisions made and actions taken in awarding and managing the Meganet contract,\nabandoning use of the Meganet products, and procuring Entrust encryption\nproducts. DOL personnel frequently provided conflicting accounts of related events.\nAs a result, we could not always determine the validity or rationale of DOL decisions\nand actions. More importantly, DOL officials with oversight responsibility for the IT\nand procurement functions could not demonstrate that their decisions were sound.\n\nWe found the following:\n\n   1. Delegating responsibility for Information Technology (IT) and procurement\n      functions to one individual \xe2\x80\x93 the ASAM \xe2\x80\x93 results in inadequate separation of\n      duties and creates an organizational conflict of interest when purchasing IT\n      products and services.\n\n   2. There were significant irregularities in the process of awarding the Meganet\n      contract. Specifically, there was (a) no documentary evidence that the need\n      to purchase encryption software was reviewed by DOL\xe2\x80\x99s Technical Review\n      Board (TRB); (b) inadequate documentation of the Information Technology\n      Center\xe2\x80\x99s evaluations of preproposal submissions; (c) no written justification\n      for use of a sole-source contract; (d) a failure of the former Deputy Chief\n      Information Officer to disclose an apparent conflict of interest; and (e) a\n      possible bias in preparing the Statement of Work.\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                 iii\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n     3. Office of the Assistant Secretary for Administration and Management\n        (OASAM) and Office of the Solicitor officials, who at some point became\n        aware of a relationship between the former Deputy CIO and Meganet\xe2\x80\x99s\n        Corporate Counsel that may have created an apparent conflict of interest in\n        awarding the Meganet contract, did not refer the matter to the Office of\n        Inspector General (OIG).\n\n     4. The scope of the original contract awarded to Meganet included a second\n        product not in the proposal presented to DOL\xe2\x80\x99s Procurement Review Board\n        (PRB) and approved by the ASAM as a sole-source procurement. The\n        contract was later modified to add a third product and adjust the quantities\n        available for purchase without further PRB review or approval.\n\n     5. In December 2002, DOL entered into a lease agreement with Videla\n        International Corporation to obtain Entrust products for a department-wide\n        Public Key Infrastructure (PKI) solution. Two of these Entrust products, digital\n        signature and e-mail encryption duplicated the functions of products\n        previously purchased from Meganet.\n\n     6. The ASAM\xe2\x80\x99s stated reasons for deciding not to use the products purchased\n        from Meganet were not supported. Although the ASAM and his staff stated\n        that the Meganet software did not perform as expected in the planned DOL\n        PKI environment, there were no test results or other documentation to support\n        these assertions. Recent OIG tests of the Meganet product VME 2003\n        indicated that the product functioned in OIG\xe2\x80\x99s test environment that was\n        configured to represent the environment described in the contract.\n\n     7. DOL obtained large quantities of encryption products at a cost of $5.4 million\n        without a fully deployed PKI. Neither the Meganet products and services\n        ($3.8 million) nor the Entrust products and services ($1.6 million) currently\n        provide benefit to DOL.\n\nCONCLUSION\n\nThe Meganet contract was not properly awarded, modified, or managed because of\na lack of organizational separation of duties, inadequate oversight, and insufficient\ninternal controls. Furthermore, individuals knowingly made decisions and took\nactions that violated Government regulations and DOL policies and may not have\nbeen in the best operating or financial interests of DOL. As a result, (a) a contract\nmay have been improperly awarded on a sole-source basis, (b) $3.8 million in\nMeganet products have gone unused without adequate justification, and (c) DOL\nspent an additional $1.6 million (as of December 2004) on Entrust products to satisfy\nsome of the same technical requirements as the unused Meganet products. The\nOIG believes that until procurement and programmatic responsibilities are properly\nseparated and effective controls put in place, DOL continues to be at risk for the\nwasteful and abusive practices evident in its handling of the Meganet contract.\n\n\niv                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                          Report Number: 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n\nRECOMMENDATIONS\n\nWe recommend that the Deputy Secretary of Labor:\n\n   1. Remove the procurement function from OASAM and create an independent\n      Acquisition Office whose Director would (a) supervise all DOL procurement\n      staff and (b) report directly to the Deputy Secretary.\n\n   2. Establish a process for an independent review and approval of decisions to\n      (a) abandon or terminate active contracts or (b) not use products or services\n      already purchased. This review and approval should be made by an\n      individual or group independent of the DOL agency(ies) involved in the\n      purchase or use of the product or service.\n\n   3. Remind all DOL employees of their responsibility to immediately report\n      reasonable suspicions of wrongdoing to the OIG.\n\nWe also recommend that the Deputy Secretary instruct the ASAM to:\n\n   4. Develop and implement procedures to ensure that all required preaward\n      activities (e.g., TRB review, proposal evaluation, etc.) are completed and\n      documented prior to execution of a final contract.\n\n   5. Emphasize conflict of interest laws and regulations to all employees during\n      fiscal year 2005 annual ethics training.\n\n   6. Develop and implement a procedure to reconcile the terms of PRB approval\n      with the related contract terms before final contract execution.\n\n   7. Direct Information Technology Center staff to execute and document the\n      results of a formal test of both the Meganet and Entrust products and\n      determine whether and how to use them in meeting DOL\xe2\x80\x99s overall encryption\n      needs or otherwise obtain value to DOL for the costs incurred.\n\n   8. Develop a policy and implement controls to limit the quantities of information\n      technology products that are purchased until there is documented evidence\n      that the products are deployable in DOL\xe2\x80\x99s system environment.\n\nDOL RESPONSE\n\nIn a written response to a draft of this report, the Deputy Secretary stated that some\nsteps had already been taken to correct the procurement problems identified in this\nreport and that additional corrective actions would be implemented. Specifically, he\nstated that the Department had (a) instituted controls to prohibit expenditures for\nsole-source contracts that exceeded 10 percent of the amount approved by the PRB\nand the duration approved by the PRB without prior approval by the Chief\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                 v\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\nAcquisition Officer; (b) changed the staff closest to the award of the Meganet\ncontract. He also stated that the Department will (c) carefully weigh the reasons\nprovided for recommending the separation of the procurement function from\nOASAM; (d) establish a policy and procedure for reviewing the termination of\nsubstantial or sensitive contracts; (e) remind employees of their responsibility to\nreport suspected wrongdoing to the OIG; and (f) will continue to address conflict of\ninterest rules in its 2005 required ethics training for all employees.\n\nThe Deputy Secretary stated that conducting and documenting a formal test of the\nMeganet products operational capabilities would provide no benefit because recent\nOMB guidance requires all Federal agencies to use one of three approved PKI\nservice providers. None of these providers uses Meganet encryption software.\n\nOIG CONCLUSION\n\nThe response provides sufficient detail to resolve one of the eight OIG\nrecommendations. The other recommendations remain unresolved pending\nadditional or more detailed information concerning planned corrective actions. The\nOIG does not agree with the Department\xe2\x80\x99s position that the recent OMB guidance\neliminates any ability to utilize the Meganet products purchased.\n\n\n\n\nvi                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                          Report Number: 05-05-005-07-720\n\x0c                                                      Award and Management of Contracts for\n                                                 Encryption Software Were Significantly Flawed\n\n\nU.S. Department of Labor                       Office of Inspector General\n                                               Washington, DC. 20210\n\n\n\n\n                          Assistant Inspector General\xe2\x80\x99s Report\n\n\n\n\nThe Honorable Steven J. Law\nDeputy Secretary of Labor\nU.S. Department of Labor\n200 Constitution Ave., N.W.\nWashington, DC 20210\n\nIn July 2003, a complainant raised concerns about a contract awarded by the U.S.\nDepartment of Labor (DOL) to the Meganet Corporation (Meganet) for the purchase\nof encryption software1 and services. We initiated a preliminary review. In August\n2003, DOL\xe2\x80\x99s Assistant Secretary for Administration and Management (ASAM) sent a\nmemorandum to the DOL Inspector General (IG), referring the Meganet contract for\naudit. The ASAM\xe2\x80\x99s memorandum noted that the Meganet contract differed\nsignificantly in both scope and value from the proposal reviewed and recommended\nby DOL\xe2\x80\x99s Procurement Review Board (PRB) and approved by the ASAM for a\nsole-source award. In addition, the ASAM stated his concerns that the Meganet\nsoftware did not perform as expected, the award of the contract on a sole-source\nbasis might have been inappropriate, and the price paid by DOL may not have been\n\xe2\x80\x9cfair and reasonable.\xe2\x80\x9d\n\nIn early 2001, DOL\xe2\x80\x99s Information Technology Center (ITC) identified a need for a\ncommercial-off-the-shelf (COTS) application to encrypt files. To identify companies\nthat could potentially offer products to meet this need, DOL\xe2\x80\x99s Office of Procurement\nServices (OPS) published a Request for Information (RFI). Since 8 of the 15\ncompanies responding to the RFI were small businesses, DOL designated this\nprocurement as a \xe2\x80\x9csmall business\xe2\x80\x9d set-aside. OPS then issued a proposed\nStatement of Work (SOW) to the eight responding small businesses and asked that\neach company submit a capability study. Three of the small businesses responded.\nBy evaluating the information provided by these three small businesses, ITC\nconcluded that Meganet was the only respondent capable of meeting the\nrequirements. The former Deputy Chief Information Officer (CIO)2 requested that\n1\n Technical concepts referred to in this report are defined in Appendix D.\n2\n DOL\xe2\x80\x99s former Deputy Chief Information Officer was also the Director of DOL\xe2\x80\x99s Information\nTechnology Center. The individual who served in this dual capacity during the award of the Meganet\ncontract left DOL employment on March 28, 2003. Her successor (referred to in this report as the\ncurrent Deputy CIO) also holds these dual responsibilities.\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                         1\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\nthe PRB review and recommend approval of a sole-source contract award to\nMeganet. The Procurement Review Board recommended, and the ASAM approved,\nthe award of a sole-source contract to Meganet to \xe2\x80\x9cobtain a product and service for\nthe encryption process needed for the Employee Computer Network\xe2\x80\x9d at an\nestimated cost of $950,000.\n\nIn February 2002, OPS awarded Meganet a sole-source contract to purchase (a) file\nencryption software and services and (b) digital signature software and services at a\npotential cost between $1.08 million and $4.03 million. Four months later (June\n2002), OPS modified the contract to add a third product and services for e-mail\nencryption. This modification also reduced the maximum quantities available under\nthe contract for each product and service. There is no evidence that the PRB\nreviewed, or that the ASAM approved, use of this sole-source contract to purchase\ndigital signature or e-mail encryption products.\n\nIn March 2003, after spending $3.8 million for products and services under the\nMeganet contract, the ASAM decided not to install any of the software purchased\nfrom Meganet. Based on information provided to him by his staff, the ASAM\nconcluded that the Meganet products would not function properly in DOL\xe2\x80\x99s\nenvironment. The current Deputy CIO informed Meganet in a September 2003 letter\nthat DOL did not intend to use the Meganet products.\n\nDespite the assertion that the Meganet products purchased would not function\nproperly, the ASAM also decided not to attempt to recover any of the funds paid to\nMeganet. An attorney from DOL\xe2\x80\x99s Office of the Solicitor (SOL) advised the Office of\nInspector General (OIG) that it could not defend terminating the contract for default\nbecause the language of the contract was \xe2\x80\x9cmurky\xe2\x80\x9d and it was not clear that Meganet\nhad not fulfilled all of its obligations under the contract.\n\nIn December 2002, DOL began procuring encryption software and hardware by\nEntrust through a lease agreement with Videla International. Two of the Entrust\nproducts duplicated the functions \xe2\x80\x93 digital signature and e-mail encryption \xe2\x80\x93 of\nproducts previously purchased from Meganet. As of December 2004, DOL had\nspent $1.6 million on products and services under the Videla contract. However,\nneither the Meganet nor the Entrust encryption products are currently being widely\nused in DOL because an essential part of the overall security solution, DOL\xe2\x80\x99s Public\nKey Infrastructure (PKI), is still being piloted by a limited number of users. [See\nExhibit A for a timeline of key events, and Appendix A for more background\ninformation.]\n\nThe Office of the Assistant Secretary for Administration and Management (OASAM),\nITC, OPS and the PRB provided very limited documentation to support the\nprocurement and contracting decisions and related actions in these matters.\nPersonnel involved in awarding the contract to Meganet, abandoning the Meganet\nproducts, and acquiring the Entrust encryption products, presented different, and\noften conflicting, accounts of events. These matters remains under OIG review.\n\n\n2                                   U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                          Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n\nOur objectives were to determine:\n\n   \xe2\x80\xa2   Was the sole-source contract awarded to Meganet in compliance with\n       government-wide procurement regulations and DOL procurement policies?\n\n   \xe2\x80\xa2   Did DOL provide adequate justification for not using the products purchased\n       through the Meganet contract and, if so, did DOL adequately justify not\n       attempting to recover the $3.8 million paid to Meganet?\n\n   \xe2\x80\xa2   What is the current status of DOL\xe2\x80\x99s file and e-mail encryption capability?\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                 3\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\nResults, Findings, and\nRecommendations\nOBJECTIVE: Was the sole-source contract awarded to\n           Meganet in compliance with\n           government-wide procurement regulations\n           and DOL procurement policies?\nNo. The process followed in awarding the sole-source contract to Meganet did not\ncomply with government-wide procurement regulations or DOL procurement\npolicies. There were significant irregularities as described in Findings 1 and 2.\nThese irregularities cast doubt on the appropriateness of awarding this contract to\nMeganet on a sole-source basis. By delegating responsibility for Information\nTechnology (IT) and Procurement functions to one individual, the ASAM, the\nresultant lack of separation of duties facilitated this lack of compliance with\nprocurement requirements.\n\n\n                                           There were numerous irregularities in the\n    Finding 1 - There Were                 process used by DOL to award a sole-source\n    Significant Irregularities in          contract to Meganet. Specifically, there was\n    the Procurement Process                (a) no documentary evidence that the need to\n    Leading to Award of the                purchase encryption software was reviewed\n                                           by DOL\xe2\x80\x99s Technical Review Board (TRB);\n    Meganet Contract\n                                           (b) inadequate documentation of ITC\xe2\x80\x99s\n                                           evaluations of pre-proposal submissions;\n                                           (c) no written justification for use of a\nsole-source contract; (d) a failure of the former Deputy CIO to disclose an apparent\nconflict of interest; and (e) a possible bias in preparing the SOW. Individually, and\ncollectively, these irregularities cast doubt on the appropriateness of awarding this\ncontract to Meganet on a sole-source basis.\n\nNo Documentary Evidence that DOL\xe2\x80\x99s TRB Reviewed the Need for Encryption\nSoftware\n\nThere was no documentation that the need for encryption software was presented\nto, reviewed by, or approved by the TRB as required by DOL policy. Therefore,\nthere is no assurance that the encryption software requirement was properly defined\nin relation to DOL\xe2\x80\x99s overall IT structure.\n\n\n\n\n4                                   U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                          Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\nDepartment of Labor Manual Series (DLMS) 9, Chapter 200, DOL Guide to IT\nCapital Investment Management, May 2000, states:\n\n       The TRB provides IT investment analysis and recommendations for\n       above threshold ($5 million and above annually) and crosscutting\n       initiatives to the [Management Review Council] for approval.\n       [Emphasis added.]\n\nIt further states,\n\n       Technology that is new to the Department or sets new technological\n       direction for an Agency or the Department must be presented to the\n       TRB for review.\n\nExamples of crosscutting initiatives in the Guide include matters of interoperability,\ninfrastructure, sensitive and high-visibility initiatives, and instances where several\nagencies have similar IT requirements. The need for encryption software, which the\nMeganet contract was aimed at fulfilling, was a crosscutting initiative based on all of\nthese criteria. It was also a new technology within DOL. Therefore, it should have\nbeen reviewed and approved by the TRB regardless of the financial value of the\ninvestment.\n\nThe Contracting Officer\xe2\x80\x99s Technical Representative (COTR) for the Meganet\ncontract stated that the requirement was presented to and discussed by the TRB\nprior to awarding the contract to Meganet. The former Deputy CIO, who was Chair\nof the TRB at the time of the procurement, also stated that the requirement for file\nencryption was reviewed by the TRB. However, our review of TRB meeting minutes\nfor the period April 2000 through February 2003, found no mention of file encryption\nrequirements, the Meganet products, or the Meganet contract.\n\nInadequate Documentation of ITC\xe2\x80\x99s Evaluation of Preproposal Submissions\n\nITC did not adequately define or document its evaluation of preproposal submissions\nby potential offerors. Therefore, there is no assurance that Meganet actually was\nthe only (or best) small business capable of meeting ITC\xe2\x80\x99s file encryption\nrequirement.\n\nOn May 2, 2001, DOL published an RFI concerning its file encryption requirements.\nSince eight of the responses to the RFI were small businesses, DOL designated the\nfile encryption procurement as a \xe2\x80\x9csmall business set-aside.\xe2\x80\x9d On June 14, 2001, DOL\nmailed a SOW to these eight small businesses inviting each potential offeror to\nsubmit a \xe2\x80\x9ccapability statement, qualifications, and references\xe2\x80\x9d for review. This\nmailing was a presolicitation notice as defined in the FAR (Subpart 15.202). Three\nof the eight small businesses provided responses. One submission was\nimmediately judged to be \xe2\x80\x9cnon-responsive.\xe2\x80\x9d The other two submissions were\nsubjected to a technical evaluation based on a point system. However, DOL did not\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                 5\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\nclearly communicate the evaluation factors to the potential offerors nor was\ndocumentation of the method and basis of these evaluations available for our\nreview. Specifically, we noted that:\n\n    \xe2\x80\xa2   The notice provided to potential offerors on June 14, 2001, did not clearly\n        identify the evaluation factors as required by FAR.\n    \xe2\x80\xa2   The evaluation score sheets contained no supporting rationale for the point\n        values assigned to the various evaluation criteria for each proposal.\n    \xe2\x80\xa2   The evaluation score sheets were unsigned and undated.\n    \xe2\x80\xa2   Two sets of score sheets had conflicting results.\n\nThese deficiencies prevented us from determining whether Meganet was properly\nidentified as the sole responsible small business capable of meeting DOL\xe2\x80\x99s\nrequirements.\n\nFAR Section 15.202 states\n\n         The presolicitation notice should identify the information that must be\n         submitted and the criteria that will be used in making the initial\n         evaluation. Information sought may be limited to a statement of\n         qualifications and other appropriate information. . . .\n\nWhile the SOW provided to potential offerors in the June 14, 2001, mailing identified\nseveral broad technical requirements for the file level encryption application needed\nby DOL, it did not identify specific evaluation factors to be used in assessing\nresponses received. For example, the evaluation score sheets we were provided,\nthat were used in assessing submitted responses, contained six \xe2\x80\x9cease of use\xe2\x80\x9d\nfactors. Although the need to \xe2\x80\x9cdemonstrate ease of use\xe2\x80\x9d was included in the SOW\nprovided to the potential contractors, no specific evaluation criteria were defined.\n\nWhen interviewed by OIG auditors, the former Deputy CIO stated that technical\nevaluations of responses from two contractors \xe2\x80\x93 Meganet and Systems Plus \xe2\x80\x93 were\nperformed. She explained that she assigned this responsibility to two of her staff\nand subsequently reviewed the resulting evaluation forms. She stated that Systems\nPlus\xe2\x80\x99s proposal was not a COTS product; therefore, she concluded that Meganet\nwas the only responsive small-business submission. The COTR for the Meganet\ncontract also told OIG auditors that signed copies of the evaluations were prepared\nand forwarded to the Procurement Office and that additional signed copies of the\nevaluations were maintained in ITC\xe2\x80\x99s official file and in the COTR\xe2\x80\x99s personal file.\n\nThe COTR alleged that she provided ITC\xe2\x80\x99s official file and her personal Meganet file\nto the ASAM\xe2\x80\x99s Special Assistant and the CIO\xe2\x80\x99s Special Assistant, at their request, for\nreview. According to the COTR, when the files were returned, several documents\n(including the signed copies of the evaluations, a chronology of events, and personal\nnotes) had been removed from the files. The ASAM\xe2\x80\x99s Special Assistant and the\n\n\n\n6                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\nCIO\xe2\x80\x99s Special Assistant acknowledge requesting and reviewing these files, but deny\nremoving any of their contents.\n\nDuring the course of the audit, a former ITC staff member that we interviewed stated\nthat he completed and signed product evaluation forms. He also stated that the\nevaluation materials were bundled and provided to the COTR. However, our review\nlocated only two sets of unsigned, undated evaluation forms in the files OASAM\nprovided to us.\n\nThe unsigned, undated response evaluations demonstrated that two small\nbusinesses submitted responses that were each scored on two sets of score sheets.\nIn one set of evaluations, Meganet\xe2\x80\x99s proposed product received zero points because\nit was deemed incompatible with the version of the Windows operating system being\nused by DOL. The product proposal from Systems Plus received 75 points.\n\nOne of the evaluators subsequently sent an e-mail to each of the two companies\nrequesting information in response to specific follow-up questions. Based on their\noriginal responses and the additional information they provided in response to the e-\nmail follow-up questions, the companies were then subjected to a second set of\nevaluations. However, this time the evaluation criteria were modified by removing\nthe following question from the original criteria:\n\n       14. Does the product line (vendor) already have a product within the\n           ECN? (Implying existing maintenance, historic credibility, past\n           experience)\n\nWith the removal of this item on the second set of evaluations, Meganet received 95\npoints and Systems Plus received 90 points. Had this item not been removed from\nthe evaluation criteria, Systems Plus would have received an additional five points\n(for a total of 95) creating a tie with Meganet. Neither set of evaluations contains\nany narrative or other supporting information that would explain why the evaluator(s)\nassigned given point values to various criteria. There is also no documentation to\nexplain why item #14 was removed from the second evaluation criteria.\n\nSince neither the evaluation criteria definitions nor the methodology used to\nmeasure the responses against the evaluation criteria were documented, we could\nnot assess whether the evaluation results were consistent or fair. Accordingly, we\ncould not determine the validity of the evaluation results contained in DOL\xe2\x80\x99s files nor\nthe judgment that Meganet was the best or only potential provider.\n\nNo Written Justification for Use of a Sole-Source Award\n\nOASAM did not provide us with the documentation required by government-wide\nand DOL regulations to justify the award of a contract to Meganet on a sole-source\nbasis. As a result, there is no assurance that DOL was justified in limiting\ncompetition in meeting its encryption requirement.\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                 7\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\nThe FAR provides seven limited exceptions to the award of government contracts\nthrough other than \xe2\x80\x9cfull and open competition\xe2\x80\x9d and describes the content of the\njustification required for using each of these exceptions. The ASAM\xe2\x80\x99s letter\napproving the use of a sole-source contract cited FAR 6.302-1, which states: \xe2\x80\x9conly\none responsible source and no other supplies and services will satisfy agency\nrequirements,\xe2\x80\x9d as the appropriate exception to full and open competition for the\nMeganet contract.\n\nFAR 6.302-1(d)(1) states\n\n       Contracts awarded using this authority shall be supported by the\n       written justifications and approvals described in 6.303. . . .\n\nFAR Section 6.303-1 states,\n\n       A contracting officer shall not commence negotiations for a sole-source\n       contract . . . or award any other contract without providing for full and\n       open competition unless the contracting officer . . . justifies, if required\n       in FAR 6.302, the use of such action in writing [and] certifies the\n       accuracy and completeness of the justification. . . .\n\nFurther, DLMS 2, Section 836 (f) 1 states,\n\n       ASAM approval is not the final determination for use of \xe2\x80\x98other than full\n       and open competition.\xe2\x80\x99 Before a proposed acquisition instrument can\n       be awarded with \xe2\x80\x98other than full and open competition,\xe2\x80\x99 the justification\n       for such a noncompetitive action must be prepared in accordance with\n       FAR 6.303. . . . The justification in FAR 6.303 [is] in addition to the\n       PRB review and ASAM approval.\n\nDOL\xe2\x80\x99s COTR stated that the sole-source contract was justified because Meganet\nsubmitted the only proposal that offered a COTS product, as required. This\nassertion was also contained in the materials provided to the PRB for review.\nHowever, DOL\xe2\x80\x99s contract file for the Meganet contract contained nothing to support\nthis assertion or to satisfy either the FAR or DLMS requirements. As a result, there\nis no way for the OIG or anyone else to review or validate DOL\xe2\x80\x99s reasoning for\npursuing a noncompetitive award to Meganet.\n\nFailure to Disclose an Apparent Conflict of Interest\n\nThe former Deputy CIO violated Federal regulations and DOL policy when she\nparticipated in the process that led to a sole-source contract award to Meganet\nwithout disclosing an apparent conflict of interest. It is also of concern to us that,\nafter the Department became aware of a relationship between the former Deputy\nCIO and Meganet\xe2\x80\x99s Corporate Counsel, the matter was not referred to the OIG.\n\n\n8                                   U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                          Report Number 05-05-005-07-720\n\x0c                                                       Award and Management of Contracts for\n                                                  Encryption Software Were Significantly Flawed\n\n\nIn November 2001, the former Deputy CIO initiated a request to award a sole-source\ncontract to Meganet. As required by DOL\xe2\x80\x99s procedures, she signed form DL1-490,\nGeneral Information for the Procurement Review, certifying that she had no present\nor prior business, personal, or financial relationship with Meganet. However, the\nattorney who was employed as Corporate Counsel for Meganet (and still holds that\nposition today) had represented the former Deputy CIO in a personal legal matter in\ncalendar year 2000, prior to Meganet submitting its proposal to sell encryption\nsoftware to DOL. In addition, the attorney informed the OIG that, in August and\nNovember 2001, while the Meganet procurement was under way, he reviewed draft\nreports relating to the same personal legal matter on behalf of the former Deputy\nCIO.3 The former Deputy CIO did not disclose this relationship to DOL procurement\nofficials.\n\nFurther, in October and November of 2000, the former Deputy CIO corresponded\nwith Meganet\xe2\x80\x99s Corporate Counsel (via e-mail) regarding encryption-related topics.\nAs part of this correspondence, the former Deputy CIO provided editing suggestions\non a proprietary Meganet document discussing Virtual Matrix Encryption (VME).\nThe product documentation provided with the encryption software tested by the OIG\n(VME Office 2003, Version 2.0.22.12) states that it uses VME.\n\nWhen interviewed by the OIG, the former Deputy CIO initially denied knowing that\nthe attorney who represented her in 2000 was associated with Meganet prior to the\ncontract award. However, after we provided her with copies of the e-mail messages\ndiscussed in the previous paragraph, the former Deputy CIO admitted knowing, prior\nto the contract award, of his connection to Meganet. She then explained that this\nattorney was not representing her in any personal legal matters at the time of the\ncontract award; therefore, she did not believe there was any conflict of interest.\n\nAccording to FAR Subpart 3.101,\n\n        The general rule is to avoid strictly any conflict of interest or even the\n        appearance of a conflict of interest in Government-contractor\n        relationships.\n\nIn addition, DLMS 2, Section 835 states,\n\n        The program official responsible for an \xe2\x80\x98other than full and open\n        competition\xe2\x80\x99 request or a request for contract advisory and assistance\n        services shall, . . . explain any past or existing business or personal\n        relationships with the proposed recipient or certify that none exist.\n\nFurther, 5 CFR 2635.502(a) states,\n\n\n3\n This attorney also represented the former Deputy CIO in a separate personal legal matter in\ncalendar year 2003, after the Meganet contract award.\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                           9\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n        Where an employee knows that a particular matter involving specific\n        parties is likely to have a direct and predictable effect on the financial\n        interest of a member of his household, or knows that a person with\n        whom he has a covered relationship is or represents a party to such\n        matter, and where the employee determines that the circumstances\n        would cause a reasonable person with knowledge of the relevant facts\n        to question his impartiality in the matter, the employee should not\n        participate in the matter unless he has informed the agency designee\n        of the appearance problem and received authorization from the agency\n        designee in accordance with paragraph (d) of this section.\n\nThe former Deputy CIO had an apparent conflict of interest, based on having\nemployed Meganet\xe2\x80\x99s Corporate Counsel as her personal attorney before the\ncontract award. Corresponding with Meganet\xe2\x80\x99s Corporate Counsel and providing\ntechnical editing advice on encryption-related topics shortly before DOL began its\nsearch for encryption products, further brings into question her ability to be unbiased\nin the contract award process. This apparent conflict of interest is of greater concern\nin light of the sole-source nature of the contract award. Under these circumstances,\nbased on Section 835 of DLMS 2 and 5 CFR 2635.502(a), the former Deputy CIO\xe2\x80\x99s\nprior attorney-client relationship with an attorney, who was employed by and\nrepresented Meganet throughout the entire contract award process, precluded the\nformer Deputy CIO from participating in the Meganet procurement unless she had\ndisclosed the relationship to appropriate DOL officials and received prior approval to\nparticipate as provided in 5 CFR 2635.502(d). The former Deputy CIO failed to\ndisclose the relationship or seek approval of her participation in the Meganet matter.\n\nAn additional concern is raised by the fact that the ASAM\xe2\x80\x99s August 4, 2003\nmemorandum referring the Meganet contract to the IG for review, while raising\nseveral concerns about the appropriateness of the sole source contract award to\nMeganet, did not include any reference to the relationship between the former\nDeputy CIO and Meganet\xe2\x80\x99s Corporate Counsel. In an e-mail sent to five SOL\nattorneys on July 31, 2003, the ASAM\xe2\x80\x99s Special Assistant states:\n\n        I have crafted the attached referral to the oig (we did not feel it was\n        appropriate to mention the apparent conflict of interest involving [the\n        Meganet Corporate Counsel\xe2\x80\x99s] representation of [the former Deputy\n        CIO] and meganet).\n\nDLMS 8, Audits and Investigations, Paragraph 713 states\n\n     (a) All DOL employees are responsible for: (1) Promptly reporting . . . to\n         their supervisor or the OIG, information that they reasonably believe\n         indicates wrongdoing. . . .\n\n\n\n\n10                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n   (b) DOL Agency Heads are responsible for: (1) Ensuring that all\n       allegations of wrongdoing received by supervisors or managers within\n       the Agency are reported promptly to the OIG.\n\nDLMS 8, Paragraph 704(a)(6) defines \xe2\x80\x9cwrongdoing\xe2\x80\x9d as including \xe2\x80\x9cconflict of\ninterest.\xe2\x80\x9d\n\nWhen interviewed by the OIG in late 2004, two senior SOL attorneys stated that they\nwere aware of the relationship between the former Deputy CIO and Meganet\xe2\x80\x99s\nCorporate Counsel. Both attorneys stated that there was not sufficient information to\nestablish that a conflict of interest existed. Therefore, they did not believe that the\nmatter required referral to the OIG pursuant to DLMS 8. Despite their conclusion,\nsome concerns remained about this relationship, because the attorneys also stated\nthat it was their understanding that the information about the relationship would be\ninformally communicated to the OIG in some fashion. However, this informal\ncommunication never occurred.\n\nThe OIG believes that the information available to the Department provided a\nreasonable basis to suspect possible wrongdoing and, therefore, should have\nbeen referred to the OIG pursuant to DLMS 8.\n\nPossible Bias in Preparing the Statement of Work\n\nThe COTR stated that she could not recall the extent of her involvement in writing\nthe SOW used to solicit proposals. However, the OIG obtained an e-mail sent by\nthe COTR to the former Deputy CIO on June 5, 2001, stating, \xe2\x80\x9cI actually wrote [the\nStatement of Work] by taking it ou[t] of the Meganet book you gave me.\xe2\x80\x9d When\nshown this e-mail, the COTR stated that the \xe2\x80\x9cMeganet book\xe2\x80\x9d was a publicly available\nbrochure that she probably only used to obtain definitions of terms with which she\nwas unfamiliar. On June 14, 2001, the completed SOW was mailed to Meganet and\nseven other small businesses requesting capability statements. The possibility that\nthe SOW was based on a Meganet product brochure, or other Meganet materials,\nraises a serious concern that the SOW may have been prepared in a manner that\nunfairly favored Meganet\xe2\x80\x99s products.\n\nInadequate Separation of Duties Facilitated Noncompliance\n\nCurrently in DOL, overall responsibility for the IT function and the procurement\nfunction are both delegated to one individual \xe2\x80\x93 the ASAM. This creates an\norganizational conflict of interest whenever a procurement action involves IT\nproducts or services. Similarly, an organizational conflict of interest occurs\nwhenever a procurement action is undertaken in support of OASAM\xe2\x80\x99s operational\nmission. OMB Circular A-123, Management Accountability and Control, states:\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                11\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n       Key duties and responsibilities in authorizing, processing, recording,\n       and reviewing official agency transactions should be separated among\n       individuals.\n\nThe ASAM has been delegated procurement and contracting authority in Secretary\xe2\x80\x99s\nOrder 4-76. Specifically, the ASAM is responsible for prescribing procurement\npolicies and procedures, procuring property and services, and resolving questions\nand interpretations of Federal Procurement Regulations.\n\nIn addition, the ASAM serves as DOL\xe2\x80\x99s CIO. The Clinger-Cohen Act (40 U.S.C.\n11315) established the position of CIO in each Federal department. In DOL, the\nCIO reports directly to the Secretary and Deputy Secretary and \xe2\x80\x9chas [Information\nResource Management] duties as his or her primary duty . . . [emphasis added]\xe2\x80\x9d\n(Secretary\xe2\x80\x99s Order 3-2003). Currently, this dual role not only conflicts with the\nrequirement that IRM duties be the primary duty of the CIO, but it also creates a\npotential conflict whenever DOL purchases IT products and services. The lack of\nadequate separation of duties increases the risk that operational needs and desires\nwill override sound procurement practices. Likewise, the same organizational\nconflict of interest exists whenever a procurement action is taken to meet the\noperational needs of any OASAM component.\n\n\n                                       The scope of the original contract with\n Finding 2 - Scope of the              Meganet, effective February 1, 2002,\n Meganet Contract (and                 included a second product not in the proposal\n Subsequent Modifications)             presented to DOL\xe2\x80\x99s PRB on November 26,\n Varied Significantly from             2001, and approved by the ASAM on\n the Proposal Presented to             December 5, 2001, as a sole-source\n                                       procurement. The contract was modified on\n the PRB for Consideration             June 6, 2002, to add a third product and\n                                       adjust the quantities available for purchase\nwithout further PRB review or approval. Without PRB review, there is no assurance\nthat Meganet was the only available provider of these additional products.\n\nOriginal Contract Terms Exceeded the Scope of the Proposal Approved by the\nPRB\n\nOn November 15, 2001, the former Deputy CIO sent a Procurement Review\npackage to the ASAM requesting the use of a sole-source contract to obtain \xe2\x80\x9ca\nproduct and service for the encryption process needed for the Employee Computer\nNetwork [ECN].\xe2\x80\x9d The ASAM, in turn, submitted the proposal to the PRB to review\nand make a recommendation regarding the appropriateness of awarding a\nsole-source contract. The request described plans to \xe2\x80\x9cobtain software necessary to\nperform file level encryption, to provide the installation of the software, and to\nprovide the maintenance on an as needed basis\xe2\x80\x9d for the ECN (approximately 1,300\ncomputers). The estimated value of the contract was $950,000. On\n\n\n12                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\nNovember 26, 2001, the PRB recommended that the ASAM approve a sole-source\ncontract to Meganet. A memorandum, dated December 5, 2001, from the ASAM to\nthe Deputy CIO, gave approval to pursue a sole-source contract to Meganet.\n\nA DOL contracting officer entered into a sole-source contract with Meganet, effective\nFebruary 1, 2002, to purchase (1) a file level encryption application, (2) a digital\nsignature application, and (3) related maintenance services. The minimum quantity\nto be purchased for each of the three items was 4,800 with a maximum purchase\nquantity of 18,000 each. Based on the negotiated fixed price per item, the contract\nhad a total value between $1.08 million and $4.03 million over the 3-year term of the\ncontract. The inclusion of a second product (i.e., digital signature application) and\nthe increased quantities (from 1,300 to potentially 18,000) exceeded the proposal\npresented to the PRB for consideration. As a result, the dollar value of the contract\nwas potentially four times the estimate presented to the PRB.\n\nAccording to the ASAM, it was December 2002 when he and the PRB became\naware of the variance between the contract proposal submitted for PRB review in\nNovember 2001 and the terms of the actual contract awarded in February 2002. In\nDecember 2002, the former Deputy CIO had forwarded a request to the PRB to\nincrease the maximum product quantities allowed in the existing contract. The\nincreases were intended to allow the United States Department of Agriculture\n(USDA) to purchase Meganet products under the DOL contract. When the ASAM\nnoted the difference between the existing contract and the proposal originally\nsubmitted to the PRB in 2001, he withdrew the new request for PRB consideration.\n\nIn November 2001, when the original Meganet contract proposal was presented for\nPRB review, DLMS 2, Section 836 (a) stated,\n\n       It is the policy of DOL that all requests to award acquisition or\n       assistance instruments, or modifications to acquisitions or assistance\n       instruments are subject to review by the PRB, which recommends\n       approval or disapproval to the Assistant Secretary.\n\nAt the time of the Meganet contract award, DLMS 2 did not address the PRB\xe2\x80\x99s\nauthority to establish scope limitations (e.g., dollar amount, duration) on a contract.\nIn the case of the Meganet contract, the PRB\xe2\x80\x99s function was only to make a\nrecommendation regarding the request to award a contract on a sole-source basis.\n\nThe OPS Director, in a memorandum to the PRB, stated that he considered that the\nPRB had determined Meganet was the sole-source for encryption products and\nservices for the ECN, and that the $950,000 presented to the PRB was an estimate,\nnot a cap. Therefore, the contracting officer did not feel bound by any dollar limit\nidentified by the PRB. The OPS Director also stated in the memorandum, however,\nthat in hindsight, the PRB should have been informed that the negotiated contract\nprice considerably exceeded the estimated amount in the PRB\xe2\x80\x99s approval\nmemorandum. The contract\xe2\x80\x99s COTR stated that the PRB was informed that the cost\nof the contract was an estimate when the proposal was discussed. The PRB did not\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                13\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\nindicate that $950,000 was a contract ceiling nor that the COTR needed to return to\nthe PRB for additional approval if a higher cost was negotiated. Therefore, neither\nOPS nor the COTR believed it was necessary to go back to the PRB for approval at\nthe time the contract was entered into and modified. However, the addition of a new\nproduct to the planned contract would constitute a modification that should have\nbeen subject to PRB review. In the OIG\xe2\x80\x99s judgment, the differences could have\nbeen identified if DOL\xe2\x80\x99s process had required reconciliation between the proposal\nreviewed by the PRB and the actual contract terms prior to the contract award.\n\nThe ASAM indicated that as a result of the Meganet contract, revisions were made\nto DLMS 2 in May 2003. Language was added to allow dollar and term limits to be\nestablished on contracts reviewed by the PRB. DLMS 2, Section 836 I (3) was\namended to state:\n\n       If approved, the ASAM\xe2\x80\x99s decision memorandum will specify the\n       approved project duration and funding, as appropriate. A new request\n       to the PRB will be required if an Agency Head wishes to exceed either\n       the approved funding amount by 10 percent (or other percent as\n       specified by the ASAM) or extend project duration beyond the\n       approved period.\n\nThe new policy still does not specify a method for reconciling the contract terms\nreviewed by the PRB and those included in the final contract award.\n\nMeganet Contract Scope Modified After Award Without PRB Review\n\nOn June 6, 2002, DOL modified the original Meganet contract. The maximum\nquantities for the original two products -- file encryption (VME 2000) and digital\nsignature (VME Sign) -- were reduced from 18,000 to 10,000, and a third product for\ne-mail encryption (VME Secure Mail) was added along with related licensing and\nadministrative support services. The minimum purchase quantity of this new product\nwas 4,800 units with a maximum purchase quantity of 10,000 units. The COTR and\nOPS believed it was not necessary to obtain approval from the PRB for this change\nbecause the total dollar value of the original contract had not increased.\n\nThe ASAM and some members of the PRB believe that the original contract of\nFebruary 2002 and the modification in June 2002 should have been resubmitted to\nthe PRB for review because of changes in the scope of the contract. As previously\ncited, DLMS 2 Section 836 (a) required that modifications were \xe2\x80\x9csubject to review by\nthe PRB.\xe2\x80\x9d These changes should not have been made without PRB review and the\nASAM\xe2\x80\x99s approval. In addition, DOL\xe2\x80\x99s desire to purchase the second and third\nproducts was never announced in the marketplace. Therefore, there is no way to\ndetermine whether other potential contractors (including small businesses) could\nhave competed with Meganet to fill these additional needs.\n\n\n\n\n14                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                       Award and Management of Contracts for\n                                                  Encryption Software Were Significantly Flawed\n\n\n\nOBJECTIVE: Did DOL provide adequate justification for\n           not using the products purchased through\n           the Meganet contract and, if so, did DOL\n           adequately justify not attempting to recover\n           the $3.8 million paid to Meganet?\nNo. The two reasons given by DOL for not using the Meganet products were not\nsupported. Although Meganet\xe2\x80\x99s products were not certified by the National Institute\nof Standards and Technology (NIST) as complying with Federal Information\nProcessing Standard (FIPS) 140, Meganet was in the process of obtaining the\nrequired NIST certification. DOL provided no documented test results to support\ntheir assertion that the products would not function in DOL\xe2\x80\x99s environment. OIG\xe2\x80\x99s\ntesting indicated that the VME 2003 product provided to OIG from DOL functioned in\nOIG\xe2\x80\x99s test environment designed to represent the environment described in the\ncontract. The Deputy Assistant Secretary for Administration and Management\n(DASAM) provided inadequate oversight to scrutinize and resolve conflicting\ninformation about the ability to implement the Meganet products.\n\n\n                                          DOL\xe2\x80\x99s decision not to install the products\n    Finding 3 - DOL\xe2\x80\x99s Reasons             purchased under the Meganet contract was\n    for Deciding Not to Use the           not supported. The CIO\xe2\x80\x99s Special Assistant\n    Products Purchased from               raised concerns about the viability of the\n    Meganet Were Not                      Meganet products after being hired by DOL\n    Supported                             in mid-December 2002. This was 10 months\n                                          after awarding the contract and after DOL\n                                          had received and paid for more than\n$3 million of products under the contract. In late December 2002, as part of an\noverall PKI acquisition plan, DOL entered into an agreement to lease Entrust\nencryption products (a GSA Schedule vendor) through a contract with Videla\nInternational Corporation, a re-seller of Entrust products.4 Some of these Entrust\nproducts duplicated the functionality of the previously purchased Meganet products.\n\nThe ASAM and members of his staff stated to OIG auditors that the Meganet\nproducts did not perform as expected. Specifically, they cited two reasons for\nabandoning implementation of the Meganet products: (1) the products did not meet\nmandatory certification requirements and (2) the products would not function within\nDOL\xe2\x80\x99s proposed PKI structure. However, they provided no documentation to\nsupport these assertions. On September 29, 2003, the current Deputy CIO sent\nMeganet a letter stating that DOL did not intend to use any of the products\npurchased from Meganet.\n\n4\n Other than determining that Entrust products were available from the GSA schedule, our audit did\nnot focus on determining whether this procurement complied with the FAR.\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                         15\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\nIn spite of the asserted product deficiencies, and based on advice from an SOL\nattorney, DOL decided not to pursue recovery of any of the funds paid to Meganet.\nIn an interview with OIG auditors, the SOL attorney characterized the contract terms\nas \xe2\x80\x9cmurky\xe2\x80\x9d and could not conclude that Meganet had not met its contract obligations.\n\nProduct Deficiencies Alleged by DOL\n\nAccording to the contract COTR, ITC staff did not indicate any major problems with\nthe Meganet products ordered. However, in December 2002, DOL contracted with\nVidela to obtain Entrust encryption software as part of an overall PKI solution plan.\nAccording to the COTR, when she questioned the apparent duplication of the\nproducts in the Meganet and Videla contracts, the CIO\xe2\x80\x99s Special Assistant and the\nASAM\xe2\x80\x99s Special Assistant expressed concerns about installing the Meganet\nproducts. Specifically, the Special Assistants questioned whether Meganet\xe2\x80\x99s\nproducts were properly certified by NIST for compliance with FIPS 140. The COTR\nalso indicated that the Special Assistants stated that Meganet\xe2\x80\x99s products would not\nwork with DOL\xe2\x80\x99s proposed PKI unless some information technology issues were\nresolved.\n\nThe former Deputy CIO stated that, to her knowledge, the CIO\xe2\x80\x99s Special Assistant\nwas the only individual that had ever raised concerns about whether the Meganet\nproducts worked. In fact, according to the former Deputy CIO, prior to the CIO\xe2\x80\x99s\nSpecial Assistant\xe2\x80\x99s involvement (December 2002), the ITC had thoroughly and\nsuccessfully tested and was preparing to deploy the Meganet software. They were\nwaiting only for DOL\xe2\x80\x99s PKI to be completed and operational.\n\nBy March of 2003, DOL had ordered and received the maximum quantities of all\nproducts under the Meganet contract at a total cost of $3.8 million. However, in a\nMay 8, 2003 letter, DOL rejected payment of the final invoice from Meganet in the\namount of $664,300. The letter cited five specific deficiencies as the basis for\nrefusing payment:\n\n     1)   the cryptographic module was not validated to comply with NIST FIPS;\n     2)   the encryption tool did not implement the \xe2\x80\x9c3DES\xe2\x80\x9d encryption method\xe2\x80\x9d\n     3)   the Meganet product was not fully interoperable with DOL\xe2\x80\x99s PKI;\n     4)   the digital signature module was not certified to comply with NIST FIPS; and\n     5)   the digital signature tool did not implement the \xe2\x80\x9cDSA\xe2\x80\x9d digital signature\n          method.\n\nAccording to the letter, each of these items was required in the \xe2\x80\x9coriginal statement of\nwork.\xe2\x80\x9d\n\nThe ASAM\xe2\x80\x99s office led a series of meetings (March 28, 2003, April 10, 2003, and\nMay 15, 2003) to discuss concerns about the Meganet products, including the\nspecific deficiencies listed in the May 8, 2003 letter. DOL officials (including\n\n\n16                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                      Award and Management of Contracts for\n                                                 Encryption Software Were Significantly Flawed\n\nrepresentatives from the ITC, OPS, and SOL) participated in some or all of these\nmeetings along with Meganet representatives.\n\nMeganet and DOL officials differed in their assessments of the results of these\nmeetings. According to Meganet\xe2\x80\x99s Corporate Counsel, Meganet staff successfully\nresponded to all operational concerns raised by DOL at these meetings. To support\nthis conclusion, he pointed out that DOL rescinded its earlier rejection and paid the\nfinal invoice in full (plus interest) on June 2, 2003. However, the ASAM stated that\nthe parties were unable to resolve the deficiency concerns to DOL\xe2\x80\x99s satisfaction. He\nexplained that payment of the final invoice was made because SOL staff believed\nthat DOL\xe2\x80\x99s failure to reject earlier shipments of the Meganet products precluded it\nfrom filing for breach of the contract. On September 29, 2003, the current Deputy\nCIO sent Meganet a letter stating that DOL did not intend to use any of the products\npurchased or order any further products through the contract with Meganet.\n\nBased on the information available for our review, the five deficiencies cited in the\nMay 8, 2003 letter do not provide a sound basis for abandoning DOL\xe2\x80\x99s $3.8 million\ninvestment in the Meganet products that had been purchased. The SOW contained\nin the awarded contract did not state a requirement for the \xe2\x80\x9c3DES\xe2\x80\x9d encryption\nmethod (deficiency #2). Although the SOW provided to vendors with DOL\xe2\x80\x99s request\nfor capability statements did contain this requirement, it was unexplainably omitted\nfrom the contract SOW. We found no testing results or other documentation to\nsupport DOL\xe2\x80\x99s assertion that the \xe2\x80\x9c3DES\xe2\x80\x9d method was absent from the Meganet\nproducts.\n\nThe language in the contract SOW did not specifically require use of the \xe2\x80\x9cDSA\xe2\x80\x9d\ndigital signature method (deficiency #5). Instead, it required that the product\n\xe2\x80\x9csupport Digital Signatures as follows in IAW [in accordance with] FIPS PUB 186-1.\xe2\x80\x9d\nFIPS PUB 186-1 (December 15, 1998) identifies either the Digital Signature\nAlgorithm (DSA) or another algorithm (RSA) as appropriate and specifically states\nthat both do not have to be implemented.5 According to Meganet officials, their\nproduct included RSA services. Again, DOL provided no documentation to\ndemonstrate that the products lacked this capability.\n\nThe contract SOW did require that the Meganet products demonstrate \xe2\x80\x9cintegration\n[with] the agency\xe2\x80\x99s standard PKI solution . . .\xe2\x80\x9d (deficiency #3). However, DOL\nprovided no documentation or other support for its claim that the Meganet products\ndid not operate with its PKI solution. In fact, since DOL only began defining its PKI\nFunctional Requirements in May 2002 and is still running its proposed PKI solution\nin a limited pilot test, it is unclear how DOL would have determined the lack of\nperformance of the Meganet products against its PKI environment.\n\n\n\n5\n Although cited in the contract SOW, at the time of the contract award FIPS 186-1 was not the\ncurrent standard. FIPS 186-2, effective July 27, 2000, superseded FIPS 186-1 and allowed the use\nof any of three different algorithms in digital signature products \xe2\x80\x93 DSA, RSA, or ECDSA.\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                       17\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\nAlthough we agree that FIPS establish certain mandatory standards for all\ncryptographic and digital signature modules used by federal agencies, the contract\nSOW contains only references to FIPS 180-1 and 186-1. We found no language in\nthe contract SOW that identifies other pertinent standards (e.g., FIPS 140-2) or\nspecifies the need for NIST certification (deficiencies #1 and #4). To avoid any\nambiguity, the contract should have identified all requirements either through specific\nlanguage or specific citation to other federal laws or regulations. As with other\ndeficiencies cited by DOL, it provided no evidence or documentation to support its\nassertion of non-compliance.\n\nDOL assertions that Meganet\xe2\x80\x99s products did not possess required NIST certifications\nare discussed in detail in the following section.\n\nNIST Certification Was Pending and Likely to Be Approved\n\nThe CIO\xe2\x80\x99s Special Assistant stated that the Meganet software was not certified by\nNIST as complying with FIPS 140, Security Requirements for Cryptographic\nModules. FIPS 140 is a technical standard that any cryptographic product must\nmeet before it can be placed on a Federal Government information technology\nsystem. At the time of the contract award, Meganet\xe2\x80\x99s products did not have their\nown NIST certification. However, when DOL officials raised this issue, Infogard, a\nlaboratory accredited by NIST to perform cryptographic validation testing, wrote a\nletter to the former Deputy CIO on Meganet\xe2\x80\x99s behalf. The March 25, 2003, letter\nstated that Infogard was in the process of testing Meganet\xe2\x80\x99s encryption product and\nplanned to recommend that Meganet\xe2\x80\x99s product be issued FIPS 140 certification.\nThe letter further stated that Infogard did not \xe2\x80\x9canticipate any critical issues that would\nprevent [Meganet\xe2\x80\x99s products] from being validated by NIST.\xe2\x80\x9d In addition, Meganet\nargued that it met the certification requirement since its product incorporated\n(without change) a Microsoft module that did have NIST certification. It had provided\nDOL with correspondence from a NIST official supporting this interpretation. On\nJanuary 27, 2005, Meganet received NIST Certificate #505 validating that its VME\nCrypto Engine complied with FIPS 140-2.\n\nThe CIO\xe2\x80\x99s Special Assistant stated that the absence of this certification prevented\nDOL from using the Meganet products. However, DOL was informed that the\nrequired NIST certification was in process and likely to be approved. DOL also has\nreason to believe that the NIST certification requirements had been met through the\nincorporation of the Microsoft module. Since DOL already had invested $3.8 million\nin the purchase of these products, it seems prudent that it would have worked with\nMeganet to overcome this certification concern rather than immediately abandoning\nthe Meganet products and services based on this issue.\n\nMeganet Products Could Operate in DOL\xe2\x80\x99s System Environment at the Time of\nthe Contract Award\n\n\n\n\n18                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\nThe CIO\xe2\x80\x99s Special Assistant and the ASAM\xe2\x80\x99s Special Assistant on the one hand, and\nITC officials on the other, provided conflicting opinions about whether the Meganet\nproducts did or did not function properly in DOL\xe2\x80\x99s IT environment. In addition,\nMeganet officials claimed that they had developed applications and demonstrated\ntheir product\xe2\x80\x99s operability to DOL technical staff. However, we found no\ndocumentation to support any of these assertions. Specifically, we found no\ndocumentation that DOL had tested the Meganet products at all. Subsequently, OIG\ntechnical staff were able to demonstrate the functionality of the Meganet software in\na test environment that represented the DOL environment as described in the\ncontract.\n\nThe CIO\xe2\x80\x99s Special Assistant stated that Meganet\xe2\x80\x99s products were not compatible\nwith DOL\xe2\x80\x99s needs and required modifications because they were not based on\n\xe2\x80\x9cstandard modules.\xe2\x80\x9d The CIO\xe2\x80\x99s Special Assistant further stated that Meganet\nofficials claimed that their product code was proprietary and refused to reveal it to\nDOL. According to the CIO\xe2\x80\x99s Special Assistant, Meganet attempted to demonstrate\nits product by incorporating Microsoft modules that were available at no charge to\nmake the Meganet product compatible with DOL\xe2\x80\x99s proposed PKI. The CIO\xe2\x80\x99s Special\nAssistant said the product still did not work. We were not provided with any\ndocumentation or other corroborating evidence to support the assertions by the\nCIO\xe2\x80\x99s Special Assistant.\n\nSection C.3.1 Task #1 (file level encryption application testing, demonstration, and\nevaluation) of the contract with Meganet states:\n\n       The Contractor shall conduct integration testing and demonstration of\n       the application or provide the proposed application directly to the\n       technical point of contact listed in this SOW. The application testing,\n       demonstration, and evaluation shall be performed in the Government\xe2\x80\x99s\n       on-site Test, Evaluation and Certification Center (TECC) located in\n       room N1301, Francis Perkins Building. The application must\n       demonstrate successful integration and operation on the DOL standard\n       Windows NT workstation before being accepted.\n\nBoth ITC staff and Meganet officials stated that testing of the Meganet products was\nperformed. However, no documentation of these tests or their results was found.\nThe testing reportedly consisted of a demonstration of the products by Meganet staff\non a computer in the DOL lab. Meganet personnel opened, closed, encrypted, and\ndecrypted files. Meganet personnel discussed how the products functioned, and\nDOL personnel explained how the product should operate in the DOL environment.\nIt is not clear which version of software was tested, but Windows 2000 was running\nin the lab at the time the software was demonstrated. ITC and Meganet officials\nstated that they believe the product would have worked in DOL\xe2\x80\x99s environment.\n\nThe former Deputy CIO stated that DOL had conducted formal, thorough testing of\nthe Meganet products and that she was aware of no reasons why the products\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                19\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\nwould not have performed satisfactorily in DOL\xe2\x80\x99s environment. She also stated that\nthe test results had been documented as required. Specifically, she recalled that the\nfile of test documentation was substantial in size and included the test plan (7-10\npages), printouts of before and after \xe2\x80\x9cscreen shots,\xe2\x80\x9d and event logs.\n\nMeganet officials stated that their staff had worked with DOL ITC staff to test the\nMeganet encryption products and make sure they would run in the proposed DOL\nPKI system environment. According to Meganet\xe2\x80\x99s Chief Executive Officer, Meganet\ndeveloped an application to test their products in a stand-alone environment. They\nalso developed four applications that simulated PKI to test their products, since\nDOL\xe2\x80\x99s PKI was not in place. Although Meganet officials claim that these tests\ndemonstrated that their products worked in DOL\xe2\x80\x99s environment, they also could not\nprovide any documented test results to support their assertions.\n\nIn an effort to resolve these conflicting assertions, OIG obtained copies of the\nproduct from DOL for testing. On November 9, 2004, OIG technical staff, assisted\nby Meganet personnel, was able to demonstrate the functionality of Meganet\xe2\x80\x99s VME\nOffice 2003 product. The OIG was able to determine that the Meganet VME 2003\nproduct functioned in a networked e-mail test environment as described in the\ncontract. OIG was able to (a) successfully install the Meganet software on three\nlaboratory computers, one running Windows NT 4.0 Server software and the other\ntwo running Windows NT 4.0 Workstation software; (b) demonstrate functionality of\nthe VME Office 2003 on the three computers; and (c) successfully test the\nencryption and decryption of e-mails transmitted through the OIG Computer Lab\nMicrosoft Exchange Server.\n\nOASAM\xe2\x80\x99s decision not to use the Meganet products because the products could not\nfunction in DOL\xe2\x80\x99s IT environment at the time of the contract is not supported.\n\nInadequate Supervision and Oversight\n\nThe DASAM was aware that the former Deputy CIO had, prior to her departure from\nDOL in March 2003, argued that the Meganet products worked and could be\nimplemented. Nonetheless, when the issue of formally severing DOL\xe2\x80\x99s relationship\nwith Meganet was raised with the DASAM in September 2003, he did not question\nthe assertions by other OASAM staff that the Meganet products neither worked nor\nhad adequate certification to be implemented. Nor did he raise these issues with the\nASAM; instead, he allowed the action to proceed. Overall, although the DASAM\nwas the direct supervisor of the former, current, and interim Deputy CIOs throughout\nthe time period addressed in this report, there is no indication that the DASAM took\nan active supervisory role in the process of awarding the contract to Meganet,\nmodifying the contract, or otherwise managing the contract\n\n\n\n\n20                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                   Award and Management of Contracts for\n                                              Encryption Software Were Significantly Flawed\n\nOBJECTIVE: What is the current status of DOL\xe2\x80\x99s File and\n           e-mail Encryption Capability?\nAlthough DOL has spent $5.4 million on encryption products, maintenance and\nsupport services, and PKI related hardware from two contractors (Meganet and\nVidela), there is no file or e-mail encryption capability widely implemented\nthroughout DOL because DOL\xe2\x80\x99s PKI, an essential part of the overall security\nsolution, has not yet been widely deployed. A PKI Pilot Project, involving a limited\nnumber of DOL users, is ongoing. Department-wide implementation of this\ncapability may not occur until the end of Fiscal Year (FY) 2005.\n\n\n                                            DOL has obtained large quantities of\n Finding 4 - DOL Has Spent                  encryption software from two different\n Millions of Dollars on                     vendors, but has not yet deployed the\n Encryption Software and                    products. DOL abandoned the Meganet\n Other Products That Are                    encryption software, purchased at a cost of\n                                            $3.8 million, and has no plans to install these\n Not Being Used\n                                            products. DOL has also entered into an\n                                            agreement to lease Entrust encryption\nsoftware and PKI related hardware at a total cost of $2.4 million over 3 years. As of\nDecember 2004, DOL had paid $1.6 million of this total. However, the Entrust\nencryption software purportedly cannot be deployed department-wide because the\nrelated PKI is still in a pilot status. As a result, DOL is not benefiting from the\n$5.4 million it has spent.\n\nEncryption Software Purchases\n\nDOL has obtained thousands of licenses for encryption software since February\n2002, although it did not have a fully deployed PKI framework in which to utilize\nthese products. From February 2002 through March 2003, DOL purchased 10,000\nunits each of file encryption, e-mail encryption, and digital signature software from\nMeganet. Including the support services purchased with these products, DOL paid\nMeganet $3.8 million. In December 2002, it began leasing Entrust encryption\nproducts through an agreement with Videla. From December 2002 through\nDecember 2004, DOL obtained 40,000 licenses to use Entrust\xe2\x80\x99s e-mail encryption\nand digital signature software. Including the PKI related hardware and maintenance\nservices purchased with these products, DOL had paid Videla $1.6 million.\n\nStatus of DOL\xe2\x80\x99s PKI Solution Pilot\n\nBefore DOL can deploy and benefit from all the encryption products it has\npurchased, it needs a fully deployed PKI. However, DOL did not begin its PKI\nSolution Pilot until April 1, 2004, more than 2 years after purchasing its initial\nquantity of encryption software from Meganet and more than 15 months after\nbeginning to procure Entrust encryption products from Videla.\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                 21\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\nBased on information provided by DOL management, 52 employees, including 7\nOIG employees, are participating in the pilot. The objective of the pilot is to\ndemonstrate PKI capabilities in a specific application and provide an opportunity for\nusers and administrators to gain actual experience using the PKI. Lessons learned\nand other data were scheduled to be collected and documented through\nDecember 31, 2004. Deployment of the PKI solution includes the approval and\npublication of a regulation in the Code of Federal Regulations. Therefore, DOL\nestimates that full deployment may not be completed until the end of FY 2005.\n\nNevertheless, DOL had obtained licenses for concurrent use of 40,000 Entrust PKI\ncertificates, e-mail encryption and digital signature software to enable use of these\ncertificates, and related hardware and maintenance from Videla at a cost, as of\nDecember 2004, of $1.6 million. When combined with the $3.8 million of products\npurchased through the Meganet contract, DOL has expended a total of $5.4 million\non encryption products and PKI hardware, which are currently not widely deployed.\n\nIn addition, since DOL originally procured the Entrust products through the Videla\ncontract, changes in the Federal PKI architecture have reduced the number of\nlicenses and certificates required by DOL. DOL is working with Videla to try and\ntransfer 15,000 licenses and certificates to another Federal agency.\n\nGiven the ongoing nature of DOL\xe2\x80\x99s PKI Solution Pilot, it was unreasonable for DOL\nto have obtained large quantities of encryption licenses and certificates. While\nlimited quantities could be procured for use in the pilot effort, large-scale obligations\nshould have been delayed until the PKI solution was complete and the encryption\nsoftware was widely deployable.\n\n\n\n\n22                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n\nOverall Audit Conclusion\nThe Meganet contract was not properly awarded, modified, or managed because of\na lack of organizational separation of duties, inadequate oversight, and insufficient\ninternal controls. Furthermore, individuals knowingly made decisions and took\nactions that violated Government regulations and DOL policies and may not have\nbeen in the best operating or financial interests of DOL. As a result, (a) a contract\nmay have been improperly awarded on a sole-source basis, (b) $3.8 million in\nMeganet products have gone unused without adequate justification, and (c) DOL\nspent an additional $1.6 million (as of December 2004) on Entrust products some of\nwhich satisfy the same technical requirement as the unused Meganet products. The\nOIG believes that until procurement and programmatic responsibilities are properly\nseparated and effective controls put in place, DOL continues to be at risk for the\nwasteful and abusive practices evident in its handling of the Meganet contract.\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                23\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\nRecommendations\nWe recommend that the Deputy Secretary of Labor:\n\n          1. Remove the procurement function from OASAM and create an\n             independent Acquisition Office whose Director would (a) supervise all\n             DOL procurement staff and (b) report directly to the Deputy Secretary.\n\n          2. Establish a process for an independent review and approval of\n             decisions to (a) abandon or terminate active contracts or (b) not use\n             products or services already purchased. This review and approval\n             should be made by an individual or group independent of the DOL\n             agency(ies) involved in the purchase or use of the product or service.\n\n          3. Remind all DOL employees of their responsibility to immediately report\n             reasonable suspicions of wrongdoing to the OIG.\n\nWe also recommend that the Deputy Secretary instruct the ASAM to:\n\n          4. Develop and implement procedures to ensure that all required\n             preaward activities (e.g., TRB review, proposal evaluation, etc.) are\n             completed and documented prior to execution of a final contract.\n\n          5. Emphasize conflict of interest laws and regulations to all employees\n             during FY 2005 annual ethics training.\n\n          6. Develop and implement a procedure to reconcile the terms of PRB\n             approval with the related contract terms before final contract execution.\n\n          7. Direct ITC staff to execute and document the results of a formal test of\n             both the Meganet and Entrust products and determine whether and\n             how to use them in meeting DOL\xe2\x80\x99s overall encryption needs or\n             otherwise obtain value to DOL for the costs incurred.\n\n          8. Develop a policy and implement controls to limit the quantities of\n             information technology products that are purchased until there is\n             documented evidence that the products are deployable in DOL\xe2\x80\x99s\n             system environment.\n\nDOL RESPONSE\n\nThe OIG provided a draft of this report to DOL management for review and\ncomment. The Deputy Secretary\xe2\x80\x99s written response to the draft report, dated\nMarch 18, 2005, is summarized below and presented in its entirety in Appendix E.\nAs a result of the written response and separate discussions with DOL officials after\n\n\n24                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\nwe had issued the draft report, we made technical clarifications in the report where\nappropriate.\n\nIn its written response, DOL management stated that the OIG report was thorough,\nconfirmed their concerns about the Meganet contract, and offered constructive\nrecommendations to prevent future contracting problems. They committed to\ncontinuing to assess and take appropriate actions to enhance changes that they\nhave begun in the contracting program. Specifically, DOL management addressed\neach recommendation as follows:\n\nRecommendation 1 \xe2\x80\x93 The Deputy Secretary agreed to carefully weigh the OIG\xe2\x80\x99s\nrationale for recommending that the procurement function be organizationally\nseparated from OASAM in relation to the procedural and personnel changes that\nOASAM has already instituted.\n\nRecommendation 2 \xe2\x80\x93 The Deputy Secretary concurred in principle with this\nrecommendation and directed the ASAM to (a) revise the Department\xe2\x80\x99s procurement\npolicies to ensure an independent review prior to the termination of substantial or\nsensitive contracts and (b) set an appropriate threshold for reviewing decisions not\nto use products or services that have already been purchased.\n\nRecommendations 3 and 5 \xe2\x80\x93 The Deputy Secretary stated that the Office of the\nSolicitor discusses how to avoid conflicts of interest in its required ethics seminars.\nTo implement our recommendation, he agreed that SOL\xe2\x80\x99s 2005 ethics training would\ncontinue to address an employee\xe2\x80\x99s responsibility to report wrongdoing to the OIG\nand the rules governing conflict of interest. Further, he stated that appropriate\nreminders would be sent to employees.\n\nRecommendations 4, 6, and 8 \xe2\x80\x93 The Deputy Secretary stated that the Department\nhad already taken steps to substantially address these recommendations by\n(a) revising DOL policy on sole-source contracts to require approval of the Chief\nAcquisition Officer if actual spending exceeded the dollar amount approved by the\nPRB by more than 10 percent or the contract term exceeded the duration approved\nby the PRB; (b) limiting, through the information technology governance structure,\npurchases of IT products prior to documenting that the products are deployable in\nthe Department\xe2\x80\x99s system environment; and (c) reinforcing its policy requiring that\npreaward activities be completed and documented prior to execution of a final\ncontract. He further stated that the Department had made significant changes\namong the personnel most closely involved in the Meganet procurement, including\nthe Deputy CIO, IT staff that worked with the Deputy CIO, and the senior\nprocurement official.\n\nRecommendation 7 \xe2\x80\x93 The Deputy Secretary summarized a perceived contradiction\nwithin the report\xe2\x80\x99s findings. He stated that while the report criticizes the\nDepartment\xe2\x80\x99s award of a contract to Meganet, it also questions the Department\xe2\x80\x99s\ndecision to set aside the contact and \xe2\x80\x9cappears to explicitly endorse Meganet\xe2\x80\x99s\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                25\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\ntechnical capabilities \xe2\x80\x93 relying heavily on representations made by the former\nDeputy CIO and top Meganet officials.\xe2\x80\x9d He further questioned the OIG\xe2\x80\x99s testing of\nthe Meganet products \xe2\x80\x9cassisted by Meganet personnel.\xe2\x80\x9d Finally, he argued it would\nbe doubtful that implementing the OIG\xe2\x80\x99s recommendation to complete a formal test\nof the Meganet products would provide significant value and benefit to the\nDepartment. Citing recently issued requirements from the Office of Management\nand Budget (Memorandum M-05-05, dated December 20, 2004), the Deputy\nSecretary stated that all Federal agencies are now required to use one of three\napproved providers for PKI services. He stated that none of the three currently\napproved providers uses Meganet\xe2\x80\x99s encryption software.\n\nOIG CONCLUSION\n\nBased on the information contained in the Deputy Secretary\xe2\x80\x99s written response to\nthe draft report, Recommendation 3 is resolved. To resolve each of the other\nrecommendations, we need a more complete and detailed description of planned\ncorrective actions. Our specific assessment of the Deputy Secretary\xe2\x80\x99s response to\neach recommendation follows.\n\nRecommendation 1 \xe2\x80\x93 The Deputy Secretary committed to \xe2\x80\x9ccarefully weigh\xe2\x80\x9d the\nreasons for this recommendation. This recommendation is unresolved pending a\nfinal decision regarding removal of the procurement function from OASAM.\n\nRecommendation 2 \xe2\x80\x93 The stated action does not address both aspects of this\nrecommendation. The ASAM has been directed to revise the Department\xe2\x80\x99s policy to\nensure a review for \xe2\x80\x9ctermination of substantial or otherwise sensitive contracts.\xe2\x80\x9d\nHowever, the response does not include a corrective action for reviewing decisions\nto not use products or services already purchased. This recommendation is\nunresolved pending an action plan related to the review of decisions not to use\nproducts or services already purchased.\n\nRecommendations 3 \xe2\x80\x93 The Office of the Solicitor will address employees\xe2\x80\x99\nresponsibility to report wrongdoing to the OIG in the required 2005 ethics training. In\naddition, appropriate reminders will be sent to employees. This recommendation is\nresolved and will be closed based on the Department providing evidence that these\nactions have occurred.\n\nRecommendation 4 \xe2\x80\x93 The Department has \xe2\x80\x9creinforced its policy requiring that pre-\naward activities are completed and documented prior to execution of any final\nprocurement contract.\xe2\x80\x9d However this recommendation is unresolved until (a) the\nOIG receives specific information on how this reinforcement was accomplished and\n(b) the Department defines procedures or internal controls to assure that program\nand procurement personnel comply with policy requirements. As an example, the\nDepartment might consider implementing a checklist of preaward requirements that\nwould be signed off by a senior procurement official prior to final contract execution.\n\n\n\n26                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\nRecommendation 5 \xe2\x80\x93 The Department stated that the SOL already discusses how to\navoid conflicts of interest in its annual ethics seminars and will continue to address\nthe subject in its 2005 training. However, this recommendation is unresolved\npending more specific information describing how SOL will emphasize the conflict of\ninterest laws and regulations in this year\xe2\x80\x99s training.\n\nRecommendation 6 \xe2\x80\x93 The Department has not developed and implemented\nprocedures to reconcile the terms of PRB approval with the related contract terms\nbefore final contract. This recommendation is unresolved until the Department\ndefines procedures or internal controls to assure that program and procurement\npersonnel comply with any contract limits recommended by the PRB and established\nby the ASAM.\n\nRecommendation 7 \xe2\x80\x93 We see no conflict in our report. We reported that the\nDepartment\xe2\x80\x99s procedures were flawed and poorly documented. Therefore, its\nactions did not assure that it made the appropriate decisions in awarding the\ncontract to Meganet and later abandoning the products purchased. The OIG does\nnot endorse the Meganet products or assert that they can satisfy the Department\xe2\x80\x99s\nrequirements. We recommend that the Department make this determination through\nformal, documented testing of the Meganet products. If this testing determines that\nthe Meganet products cannot be used to benefit the Department, the\nrecommendation further requests an action plan to identify possible options to\nrecover some or all of the investment in these products.\n\nWe disagree with the Department\xe2\x80\x99s position that the December 20, 2004, OMB\ndirective eliminates the possibility of using the Meganet products. First, a technical\nsupplement, issued by the General Services Administration on March 3, 2005, states\nthat compliance with the OMB directive can be achieved in either of two ways: (1)\nby cross-certifying an agency\xe2\x80\x99s certification authority with the Federal Bridge or (2)\nby purchasing PKI services from one of the approved Shared Service Providers.\nSecond, there are encryption needs that do not rely on PKI (e.g., file encryption). In\nfact, this was the originally stated requirement of the Meganet procurement action.\nFinally, PKI services do not utilize encryption software; rather encryption software\nutilizes PKI services. Since Meganet\xe2\x80\x99s products currently work with at least one of\nthe three shared service providers available through the General Services\nAdministration program (Verisign), it may be possible to use one or more of the\nMeganet products purchased and still comply with the OMB directive.\n\nThis recommendation is unresolved pending the Department\xe2\x80\x99s (a) plan to formally\ntest the Meganet and Entrust products, (b) determination of whether and how best to\nuse all encryption products purchased to date, and (c) pursuit of options to obtain\nvalue for products purchased but not deployed.\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                27\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\nRecommendation 8 \xe2\x80\x93 The Department stated that its information technology\ngovernance structure \xe2\x80\x9climits purchases of IT products prior to obtaining\ndocumentation that the products are deployable.\xe2\x80\x9d This recommendation is\nunresolved pending more specific information about how the existing structure\nassures that purchases are limited prior to evidence that they can be deployed.\n\n\n\n\nElliot P. Lewis\nDecember 22, 2004\n\n\n\n\n28                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n\n\n\nExhibits\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                29\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\n\n\n                     THIS PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n30                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n                                                                               Exhibit A\n\n\n                             Timeline of Key Events\n\n    Date                                         Event\n 05/02/2001      DOL publishes \xe2\x80\x9csources sought\xe2\x80\x9d notice for file encryption\n                 products in Commerce Business Daily.\n 06/14/2001      DOL\xe2\x80\x99s ITC sends a request for quote and capabilities study to\n                 eight small businesses.\n 11/26/2001      DOL\xe2\x80\x99s PRB reviews request to award a sole-source contract to\n                 Meganet; estimated contract value is $950,000.\n 12/05/2001      The ASAM approves awarding a sole-source contract to\n                 Meganet.\n 02/01/2002      DOL awards sole-source contract to Meganet; original contract\n                 value is between $1.1 and $4 million.\n 02/05/2002      DOL approves first invoice for $613,200 to Meganet.\n 06/06/2002      DOL modifies Meganet contract scope to add new products and\n                 services; no PRB review.\n 12/04/2002      The former Deputy CIO requests expansion of Meganet contract\n                 to include quantities requested by USDA.\n  12/2002        The CIO\xe2\x80\x99s Special Assistant begins employment at DOL.\n 12/24/2002      DOL enters into agreement with Videla to purchase Entrust\n                 encryption products.\n 02/11/2003      The ASAM withdraws request to the PRB for modification of\n                 Meganet contract based on the CIO Special Assistant\xe2\x80\x99s\n                 recommendation.\n  03/2003        The ASAM makes decision not to use Meganet products.\n 03/28/2003      The former Deputy CIO leaves DOL employment.\n 06/02/2003      DOL pays final invoice for $664,300 to Meganet. Total contract\n                 payments equal $3.8 million.\n 07/24/2003      Complainant raises concerns about Meganet contract to OIG.\n 07/31/2003      The ASAM\xe2\x80\x99s Special Assistant sends an e-mail to several SOL\n                 attorneys. The e-mail contains a proposed memo for their\n                 review from the ASAM to the IG referring the Meganet contract\n                 for review. In the e-mail, the ASAM\xe2\x80\x99s Special Assistant states\n                 that it is inappropriate to mention the former Deputy CIO\xe2\x80\x99s\n                 apparent conflict of interest to the IG.\n 08/04/2003      The ASAM sends a memo to the IG referring the Meganet\n                 contract for possible review by the OIG.\n 09/29/2003      The current Deputy CIO sent a letter to Meganet stating that\n                 DOL will not be using Meganet products.\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                31\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\n\n\n                     THIS PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n32                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n\n\n\nAppendices\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                33\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\n\n\n                     THIS PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n34                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n                                                                            Appendix A\n\n\nBackground\nOn July 24, 2003, we received allegations from a complainant concerning a contract\nthat DOL had awarded to Meganet for the purchase of encryption software for file\nand e-mail security. As a result, we began gathering preliminary information on the\ncontract.\n\nOn August 4, 2003, DOL\xe2\x80\x99s Assistant Secretary for Administration and Management\n(ASAM) sent a memorandum to the DOL Inspector General (IG), referring the\nMeganet procurement and contract for audit consideration. In the memorandum,\nand a subsequent discussion with OIG auditors, the ASAM raised three issues that\nhad come to his attention about the sole-source contract awarded to Meganet:\n\n   1. The terms of the actual sole-source contract awarded to Meganet varied\n      significantly from those presented to the PRB for review and approved by\n      him.\n\n   2. Other contractors might have been able to provide products to meet DOL\n      needs at a lower price than Meganet. Thus, the Meganet contract may have\n      been improperly awarded on a sole-source basis.\n\n   3. DOL had decided not to use the products purchased from Meganet.\n\nThe IG acknowledged the ASAM's referral in a memorandum on August 7, 2003,\nnoting that the OIG was already looking into aspects of this procurement as a result\nof a complaint received.\n\nHistory of Meganet Contract Award\n\nIn May 2001, DOL published a \xe2\x80\x9csources sought\xe2\x80\x9d notice in the Commerce Business\nDaily to identify companies that could provide commercial off-the-shelf software to\nperform file level encryption. This requirement was to support the implementation of\nthe Government Paperwork Elimination Act (GPEA) by providing confidentiality and\nauthentication capabilities for stored data. DOL required that the software be\ncompatible with its PKI and any applications used by the general public (e.g.,\nMicrosoft Office 2000 and Outlook).\n\nIn May 2001, DOL\xe2\x80\x99s Information Technology Center (ITC) determined that eight of\nthe fifteen responses received were from small businesses. As a result, DOL\ndecided to limit the procurement to small businesses.\n\nIn June 2001 DOL requested that each of the responding small businesses provide\na capabilities study. Three of the companies responded to this request; one was\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                35\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\ndisqualified because it did not provide the detailed capability information required.\nSubsequently, two ITC officials completed technical evaluations of proposals\nsubmitted by Meganet and Systems Plus. Only Meganet was determined to have an\noff-the-shelf product ready for distribution.\n\nAfter requesting and obtaining approval from the A/S for Administration and\nManagement, DOL awarded a contract to purchase file encryption and digital\nsignature software and support services to Meganet on a sole-source basis effective\nFebruary 1, 2002. Subsequent to the original award, DOL modified the Meganet\ncontract to allow the purchase of an additional (third) product \xe2\x80\x93 e-mail encryption\nsoftware.\n\nIn December 2002, DOL entered into an agreement with Videla International\nCorporation (Videla) to lease Entrust products including software for file encryption\nand digital signature.\n\nBy March 2003, DOL had ordered and received the maximum quantities (10,000\nunits of each product) allowed under the Meganet contract at a total cost of $3.8\nmillion.\n\nIn September 2003, DOL notified Meganet by letter that it did not intend to\nimplement any of the Meganet products purchased and that it would not make any\nadditional purchases under the existing contract.\n\nAs of December 2004, DOL had paid Videla $1.6 million to use 40,000 Entrust PKI\ncertificates, e-mail encryption and digital signature software to enable use of these\ncertificates, and related hardware and maintenance.\n\nKey Participants\n\nSeveral DOL personnel were involved in the award and administration of the\nMeganet contract, the decision not to implement the Meganet software, and the\nprocurement of Entrust encryption software through the Videla contract. During the\nrelevant timeline, some individuals left DOL, others joined DOL, and still others\nchanged job responsibilities. The following chart is presented to assist in\nunderstanding the organizational roles of these individuals.\n\n\n\n\n36                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                                                          Award and Management of Contracts for\n                                                                                     Encryption Software Were Significantly Flawed\n\n                                                      Organization Chart\n                        DOL Office of Assistant Secretary for Administration and Management (OASAM)\n                                  Procurement and Information Technology Functions Only\n\n\n                                                                                                          Special Assistant to the\n                                                                                                           Assistant Secretary\n                                                      Assistant Secretary for\n                                                  Administration and Management\n                                                   (and Chief Information Officer)\n\n\n\n                                                                                                          Special Assistant to the\n                                                                                                          Chief Information Office\n\n\n\n\n                                                          Deputy Assistant\n                                                       Secretary for Operations\n\n\n\n\n  Director, Information Technology Center                                                  Director, Business Operations Center\n   (and Deputy Chief Information Officer)\n\n\n\n                                                                                             Office of Procurement Services\n\n\n             Contracting Officer\xe2\x80\x99s\n             Technical Representative\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                                                                 37\nReport Number: 05-05-005--07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\n\n\n                     THIS PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n38                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n                                                                            Appendix B\n\n\n\nObjectives, Scope, Methodology,\nand Criteria\n\nObjectives\n\nOur objectives were to determine:\n\n   \xe2\x80\xa2    Was the sole-source contract awarded to Meganet Corporation (Meganet) in\n        compliance with government-wide procurement regulations and DOL\n        procurement policies?\n\n   \xe2\x80\xa2    Did DOL provide adequate justification for not using the products purchased\n        through the Meganet contract and, if so, did DOL adequately justify not\n        attempting to recover the $3.8 million paid to Meganet?\n\n   \xe2\x80\xa2    What is the current status of DOL\xe2\x80\x99s file and e-mail encryption capability?\n\nScope\n\nThe focus of the audit was the appropriateness and adequacy of DOL\xe2\x80\x99s award and\nmanagement of Contract # J-9-M-2-0012. This contract was a sole-source award to\nMeganet to provide commercial off-the-shelf encryption software, licensing, and\nmaintenance. The contract was effective on February 1, 2002, for a 3-year period.\n\nMethodology\n\nOIG auditors completed the objectives by (a) reviewing pertinent Federal and DOL\ncontracting regulations and policies, (b) reviewing and analyzing all available\ndocumentation related to the award and management of the Meganet contract, and\n(c) interviewing all appropriate DOL and contractor officials and staff involved in\neither the award or management activities. Due to the lack of available\ndocumentation and the conflicting testimonial evidence received, OIG auditors\nobtained sworn statements from selected individuals with knowledge of the contract\naward and management activities.\n\nOur audit was performed in accordance with generally accepted Government\nAudit Standards issued by the Comptroller General of the United States.\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                 39\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\nCriteria\n\n18 U.S.C. Section 208\n18 U.S.C. Section 216\n5 CFR 2635.502\nFederal Acquisition Regulation\nSecretary\xe2\x80\x99s Order 1-2000\nSecretary\xe2\x80\x99s Order 3-2003\nSecretary\xe2\x80\x99s Order 4-76\nDLMS-2\nDLMS-8, Chapter 700\nDLMS-9, Chapter 200\nDOL\xe2\x80\x99s Guide to IT Capital Investment Management\n\n\n\n\n40                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n                                                                            Appendix C\n\n\nAcronyms and Abbreviations\nASAM          Assistant Secretary for Administration and Management\nCIO           Chief Information Officer\nCOTR          Contracting Officer\xe2\x80\x99s Technical Representative\nCOTS          Commercial-Off-the-Shelf\nDAEO          Designated Agency Ethics Officer\nDLMS          Department of Labor Manual Series\nDOL           Department of Labor\nECN           Employee Computer Network\nFAR           Federal Acquisition Regulation\nFIPS          Federal Information Processing Standards\nFY            Fiscal Year\nIG            Inspector General\nIT            Information Technology\nITC           Information Technology Center\nMeganet       Meganet Corporation\nNIST          National Institute of Standards and Technology\nOASAM         Office of the Assistant Secretary for Administration and Management\nOIG           Office of Inspector General\nOPS           Office of Procurement Services\nPKI           Public Key Infrastructure\nPRB           Procurement Review Board\nRFI           Request for Information\nSOL           Office of the Solicitor\nSOW           Statement of Work\nTECC          Test, Evaluation and Certification Center\nTRB           Technical Review Board\nU.S.C.        United States Code\nUSDA          United States Department of Agriculture\nVME           Virtual Matrix Encryption\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                41\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\n\n\n                     THIS PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n42                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n                                                                            Appendix D\n\n\n\nDefinitions of Key Technical Terms\nDecryption\nThe process of transforming encrypted data back to its original form so that it can be\nunderstood.\n\nDigital certificates\nThe digital equivalent of an ID card used in conjunction with a public key encryption\nsystem.\n\nDigital signature\nAn electronic signature that is used to authenticate the identity of the sender of a\nmessage or the signer of a document. A digital signature can also be used to\nensure the original content of the message or document was not altered after it was\nsigned.\n\nDigital signature application\nSoftware that allows a user to digitally sign documents.\n\nE-mail encryption software\nSoftware used to protect the confidentiality of e-mail messages by encrypting and\ndecrypting the e-mail between sender and receiver.\n\nEncryption\nThe process of transforming information from plain text into a format that cannot be\neasily understood by unauthorized persons.\n\nEncryption application\nApplication that allows for encryption and decryption of data.\n\nFile encryption\nTo encrypt a file (data, text, etc.) in order to protect its contents from unauthorized\naccess.\n\nLicense\nA permission code, received from a software developer, which allows the user to\ngain access to a particular version of software (sometimes called a \xe2\x80\x9cregistration\ncode\xe2\x80\x9d).\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                43\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\nPublic Key Infrastructure\nA framework for creating a secure method for exchanging information based on\npublic key cryptography. The foundation of a PKI is the certificate authority (CA),\nwhich issues digital certificates that authenticate the identity of organizations and\nindividuals over a public system such as the Internet. The certificates are also used\nto sign messages, which ensures that messages have not been tampered with.\n\n\n\n\n44                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n                                                                            Appendix E\n\n\n\n\nResponse to Draft Report\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                45\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\n\n\n46                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c                                                  Award and Management of Contracts for\n                                             Encryption Software Were Significantly Flawed\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                47\nReport Number: 05-05-005-07-720\n\x0cAward and Management of Contracts for\nEncryption Software Were Significantly Flawed\n\n\n\n\n48                                    U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                           Report Number 05-05-005-07-720\n\x0c"